ANSWERED FreeBSD 14.2 troubleshooting wireguard and openvpn settings

[Valm_Valeria 1]

Hello everyone,
I have been using airvpn settings, applying the separate keys and settings from the configurator in the client area, successfully on earlier versions of freeBSD. Exclusively as client machines, accessing the WWW. I have problem applying openvpn and wireguard settings in version 14.2. On the openvpn settings, I can't handle the tls-crypt key file. I use various syntax on the configuration file, like "tls client" or "tls-crypt path...to the key" without luck.  As for the wireguard attempts, I get an wg interface running but no access to WWW. i use ipfw, set as "client", nothing more. Anyone experienced such difficulties or has successfully set airvpn on clients?

In linux machines everything works smoothly and I am happy with the new version of eddie. Congrats to the community and the Airvpn group!

[Staff 10111]

14 hours ago, Valm_Valeria said:

Anyone experienced such difficulties or has successfully set airvpn on clients?

Hello!

FreeBSD 14.2 is routinely used every day by AirVPN founders and this problem has not been experienced so far. Let's troubleshoot with pre-agreed exact configuration files. Please tell us the exact settings you enter on the Configuration Generator to reproduce the problem with WireGuard as well as OpenVPN. Also, please check all the ipfw rules (if in doubt, please publish them).

Thank you for your great feedback!

Kind regards
 

[Valm_Valeria 1]

Thank you kindly for your response!

My firewall rules are :

firewall_enable="YES"
firewall_quiet="YES"
firewall_type="client"
firewall_allowservices="any"
firewall_logdeny="YES"

On the Configuration Generator I select "Linux", "advanced" , "separate keys", I select an alternative port usually for both openvpn or wireguard, with 3 ip entries and I select a single server.

The configuration file I get for Wireguard is usually of this type:
[Interface]
Address = x.z.i.c.y/xz,fd7d:asdas:asda:sadfd:asda:asda:e8d0/zxc
PrivateKey = xxxxxxxxxxxxxxxxxxxx=
MTU = 1320
DNS = as.asdasd.asd, asda:asd:asda:sdaas::1

[Peer]
PublicKey = xxxxxxxxxxx+yyyyyyyyy+zzzzzz+sssk=
PresharedKey =xxxx+xxxxxxxxx=
Endpoint = asd.zxc.asd.sdsf:47107
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 15

which comes along with 3 keys. I copy them all in the system wireguard folder (the configuration and the 3 provided keys). I add the above info as it is but I also have tried without the MTU and with different airvpn DNS (which in the machine is added automatically from resolv, when provided in the wg configuration file). I have tried mostly with only the ip4 provided information exculding the ip6 part of the info but not excluding it from my tests.

Regarding the openvpn configuration file and the keys which I add on my system is like the ones I was using in the past, with the difference that I don't know how to expose the tls-crypt key on the configuration file.
I thought that I don't have to enable the ta.key on the configuration file of my system and I used various syntax enabling tls encryption, syntax like "tls crypt tls-crypt.key"
"tls client" and others, without luck. I get msg for problem on the handshake with arvpn.


Please forgive my luck of proficiency in the freebsd area. I was always set and forget about them with only basic knowledge of the system. I'd like also to thank in advance anyone who pays attention on my post. Please let me know if you need more specific information or logs.


 

Edited ... by Valm_Valeria

[Staff 10111]

@Valm_Valeria

Hello!
 

20 hours ago, Valm_Valeria said:

On the Configuration Generator I select "Linux", "advanced" , "separate keys", I select an alternative port usually for both openvpn or wireguard, with 3 ip entries and I select a single server.

What are the servers you selected? From various tests we do not get any problem. However, this step could be crucial:
 

20 hours ago, Valm_Valeria said:

I copy them all in the system wireguard folder (the configuration and the 3 provided keys).

This is unclear. In WireGuard the keys are always embedded in the configuration file. Just rename the configuration file you downloaded with a short name and enter the following command (with root privileges):

wg-quick up "path and name of the WireGuard configuration file here"

Do you get any error with the above command?

Kind regards
 

[Valm_Valeria 1]

Greetings!


I followed the recommended steps, directly renaming a server.conf into airvpntest.conf this is the cmd prints


root@valeria:/usr/local/etc/wireguard # sudo wg-quick up airvpntest
[#] ifconfig wg create name airvpntest
[#] wg setconf airvpntest /dev/stdin
[#] ifconfig airvpntest inet 10.180.86.232/32 alias
[#] ifconfig airvpntest mtu 1320
[#] ifconfig airvpntest up
[#] resolvconf -a airvpntest -x
[#] route -q -n add -inet 0.0.0.0/1 -interface airvpntest
[#] route -q -n add -inet 128.0.0.0/1 -interface airvpntest
[#] route -q -n delete -inet 37.46.117.92
[#] route -q -n add -inet 37.46.117.92 -gateway 192.xxx.xxx.xxx
[+] Backgrounding route monitor

root@valeria:/usr/local/etc/wireguard # ifconfig
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
    ether 08:00:27:81:fe:4f
    inet 192.xxx.xxxx..xxx netmask 0xffffff00 broadcast 192.xxx.xxx..xxx
    media: Ethernet autoselect (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
airvpntest: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1320
    options=80000<LINKSTATE>
    inet 10.180.86.232 netmask 0xffffffff
    groups: wg
    nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>


I see the interface but I can't ping anything out of my box.

I went further, starting from the thought that I had denied ping attempts, to tweak the firewall rules. I tried the "desktop" and manual tweaks over the "client" mode of ipfw and nothing worked.
So after deactivating ipfw everything worked smoothly. No IP leaking and superb server pings. Covered by my router's firewall is sufficient until I figure out how to adapt pf rules. I haven't been tweaking much in freebsd for a long time, as I mentioned it was always setup and forget my freebsd systems. Wow this must be a super fast implementation of a wireguard client connection with airvpn servers. Only download server info and mv to the wireguards directory, plus a few secs to enable the service on boot. If I only knew from the beginning lol .

So thank you for helping me out on this! I will make tests more on the openvpn configuration and send feedback. If you have any recommendations about the proper tls-crypt key implementation, please let me know.

Kind Regards
 

Edited ... by Valm_Valeria